Tag: hack

WhatsApp has confirmed that a security flaw in the app let attackers install spy software on their targets’ smartphones.

That has left many of its 1.5-billion users wondering how safe the “simple and secure” messaging app really is.

On Wednesday, chip-maker Intel confirmed that new problems discovered with some of its processors could reveal secret information to attacks.

How trustworthy are apps and devices?

Was WhatsApp’s encryption broken? No. Messages on WhatsApp are end-to-end encrypted, meaning they are scrambled when they leave the sender’s device. The messages can be decrypted by the recipient’s device only.

That means law enforcement, service providers and cyber-criminals cannot read any messages they intercept as they travel across the internet.

However, there are some caveats.

Messages can be read before they are encrypted or after they are decrypted. That means any spyware dropped on the phone by an attacker could read the messages.

What is encryption?
On Tuesday, news site Bloomberg published an opinion article calling WhatsApp’s encryption “pointless”, given the security breach.

However, that viewpoint has been widely ridiculed by cyber-security experts.

“I don’t think it’s helpful to say end-to-end encryption is pointless just because a vulnerability is occasionally found,” said Dr Jessica Barker from the cyber-security company Cygenta.

“Encryption is a good thing that does offer us protection in most cases.”

Cyber-security is often a game of cat and mouse.

End-to-end encryption makes it much harder for attackers to read messages, even if they do eventually find a way to access some of them.

What about back-ups?
WhatsApp gives the option to back up chats to Google Drive or iCloud but those back-up copies are not protected by the end-to-end encryption.

An attacker could access old chats if they broke into a cloud storage account.

How to stay safe on WhatsApp
WhatsApp discovers ‘targeted’ surveillance attack
Of course, even if users decide not to back up chats, the people they message may still upload a copy to their cloud storage.

Should people stop using WhatsApp?
Ultimately, any app could contain a security vulnerability that leaves a phone open to attackers.

The National Cyber Security Centre (NCSC), a UK cyber security watchdog, recently released their list of the most-used passwords on the Internet.

A quick look at the most common passwords is enough to know that a lot of work still needs to be done to educate computer users about cybersecurity.

The most common password was ‘123456’ which was beat out by ‘123456789’, ‘qwerty’, ‘password’ and ‘1111111’.

While these common passwords are incredibly problematic, the most pervasive problem for home internet users was a combination of these easily guessed passwords, and the fact they were being re-used across multiple sites.

Re-using passwords on multiple platforms
Password re-use is problematic as a security breach on one site could compromise a users security on every other site the password is in use.

NCSC technical director Ian Levy explains:

“We understand that cybersecurity can feel daunting to a lot of people, but the National Cyber Security Centre has published lots of easily applicable advice to make you much less vulnerable.

He added that re-using a password is a major risk which can be avoided because “nobody should protect sensitive data with something that can be guessed”.

Favourite celebrities
Sports teams and first names are another common choices for passwords with ‘Ashley’ the most common name used as a password and ‘Liverpool’ the most common premier league football team name used as a password. ‘Blink182’ was the most common band.

“Using hard-to-guess passwords is a strong first step, and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password,” added Levy.

There are several password management tools available that can generate unique passwords and store them in a central place for users who want to take their online security to the next level.

On 16 January, security research Troy Hunt uploaded a massive cache of leaked e-mails and passwords to his invaluable website have i been pwned.

The 87GB dataset, dubbed “Collection #1,” was admittedly years old, and had been passed around by hackers for some time now. Still, the sheer scale of it — containing over 772-million email addresses — turned heads. Hold onto your digital butts, because as Krebs on Security reports, you ain’t seen nothing yet.

According to Krebs, the Collection #1 data breach is, unsurprisingly, part of a much larger collection of stolen online credentials being sold online. And, taken as a whole, it dwarfs Collection #1’s size.

Just how big are we talking? According to the hacker allegedly selling access to the data who communicated with Krebs over Telegram, the entire data set of email addresses and passwords comes close to 1TB. Brian Krebs, the infosec journalist behind Krebs on Security, tweeted a screenshot purportedly depicting a page listing the data for sale.

In addition to the 87GB Collection #1, there’s a 526GB Collection #2, a 37GB Collection #3, a 178GB Collection #4, a 42GB Collection #5, and two other folders totaling an additional 126GB worth of credentials.

The seller told Krebs that, in total, they had close to 4TB of so-called password packages. Yeah, that’s a lot. According to the image above, the “Price for access lifetime” is only a cool $45 (R630).

So your email, along with one or more passwords to various throwaway online accounts you’ve used and discarded over the years, is likely being traded on the dark web. What does this mean for you?

Well, if you’re smart about your online security, probably not too much immediately. Assuming you use unique passwords for each account online — and you definitely should — any of your passwords contained in the dataset would only gain a hacker access to one specific online service. Like, say, your old Tumblr account. And, if you use two-factor authentication, you’re likely in the clear.

However, all this goes out the window if a hacker gets access to your main email account and can initiate password resets. And if the email account in question just so happens to share a password with your now-defunct Neopets account or whatever? You might legit be in trouble. Consider getting a password manager, and make sure your email has a unique password and 2FA.

And then go about your normal online business, comfortable in the knowledge that your personal data is being sold to hackers for the low, low price of $45 (R630).

A million hacked Facebook accounts isn’t cool. You know what’s even less cool? Fifty million hacked Facebook accounts.

A Friday morning press release from our connect-people-at-any-cost friends in Menlo Park detailed a potentially horrifying situation for the billions of people who use the social media service: Their accounts might have been hacked. Well, at least 50 million of them were “directly affected,” anyway.

The so-called “security update” is light on specifics, but what it does include is extremely troubling.

“We did see this attack being used at a fairly large scale.”

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts,” reads the statement. “[It’s] clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As’, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

That’s right, almost 50 million accounts were vulnerable to this attack. As for how many were actually exploited?

“Fifty million accounts were directly affected,” explained Facebook VP of product management Guy Rosen on a Friday morning press call, “and we know the vulnerability was used against them.”

“We did see this attack being used at a fairly large scale,” added Rosen. “The attackers could use the account as if they are the account holder.”

The statement itself didn’t provide much additional insight.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” continues the statement. “We also don’t know who’s behind these attacks or where they’re based.”

Facebook says it’s fixed the vulnerability, and that 90 million people may suddenly find themselves logged out of their accounts or various Facebooks apps as a result.

The disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.

Facebook is working with law enforcement, and, at least for now, says you don’t need to change your password. But maybe go ahead and log out of your account, everywhere, just to be safe.

“[If] anyone wants to take the precautionary action of logging out of Facebook, they should visit the ‘Security and Login’ section in settings,” advises the warning. “It lists the places people are logged into Facebook with a one-click option to log out of them all.”

So yeah, click through that link and log out of your account on all webpages and apps at once. After that, maybe think long and hard about whether it’s even worth logging back in.

It is not a message any frequent flyer looks forward to receiving. On 7 September, British Airways (BA) said it had emailed over 380 000 customers who had booked flights with the carrier between 21 August and 5 September admitting that their credit-card details had been stolen by hackers.

Mr Cruz has promised compensation for any customers financially affected by the hack.

The airline has not released the full details of what happened, and is still investigating the breach. But it has admitted that it was only data used in transactions in that 15-day period, not saved credit-card data on customer accounts, that was stolen.

Cyber-security experts say that hack sounds like it breached the system that managed customer payments, unlike previous attacks on other big companies where saved data was stolen.

Whatever the cause of the attack, aviation analysts think BA is likely to be hit hard by fines from regulators. Under the EU’s new General Data Protection Regulation, which came into force in May, BA could face a fine of up to 4% of its revenues if it is determined that it did not do enough to protect customer information.

That would be around £500m ($650m). If regulators decide that the penalty should be levied on the entire revenues of IAG, BA’s parent, that number could swell to as much as €1bn ($1.16bn). After adding the cost of compensating customers affected by the breach, it is no wonder that the group’s shares dropped in value by 2% on the morning the news became public.

But analysts are wary about saying that the hack will affect BA or IAG’s longer term performance.

BA has been hit by a serious of complaints about falling standards of service on its flight and by a computer crash that stranded 75,000 of its passengers last May. Mr Cruz has been crucified in the media for both public-relations meltdowns. Yet neither issue has really affected demand for BA flights.

So why do BA passengers keep coming back to the airline, in spite of it losing their credit-card data, checked-in baggage and taking away free nosh onboard? The answer is that they have little choice.

New airlines simply cannot take market share away from BA at Heathrow. As long as it uses each take-off and landing slot it is allocated 80% of the time, it can keep it for the next season. As a result, the share of slots at Heathrow owned by BA’s parent has risen from 36% in 1999 to 54%. It has also been gobbling up slots at Gatwick from defunct airlines such as Monarch, to make sure Norwegian, a disruptive long-haul low-cost competitor, cannot get their hands on them.

However much the airline’s computer systems go wrong or it cuts back its level of service onboard, new competitors cannot push it off the runway. Another IT disaster will not change that.

Financial services group Liberty Life sent out an SMS to their clients on Saturday evening informing them of a major security breach.

Liberty launched an investigation after its systems were hacked, and said the hackers alerted the company to potential vulnerabilities in its systems and were now demanding compensation.

The Sunday Times reported that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the data.

Liberty has communicated with its customers regularly, advising them to change passwords as applicable.

Liberty Life hack could be ‘an inside job’: expert

A security expert has questioned how hackers gained access to Liberty Life clients’ information, suggesting it could have been an inside job.

The financial services provided confirmed on Saturday that its information technology system was hacked last week, by people who demanded payment. It has since regained control of the system.

“It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person’s permissions to get into the system,” said managing director of Ukuvuma Cyber Security, Andrew Chester.

He said the hack could have been avoided by applying general data security practices such as encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.

“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted? When doing threat-hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Chester said it was also concerning that no-one detected the breach until the hackers themselves informed the company.

“There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them,” he said.

The company said its investigation into the breach was at an “advanced stage”.

The 2018 selloff in cryptocurrencies deepened, wiping out about $42bn (about R552bn) of market value over the weekend and extending this year’s slump in Bitcoin to more than 50%.

Some observers pinned the latest retreat on an exchange hack in South Korea, while others pointed to lingering concern over a clampdown on trading platforms in China. Cryptocurrency venues have come under growing scrutiny around the world in recent months amid a range of issues including thefts, market manipulation and money laundering.

Bitcoin has dropped about 12% since 5 pm New York time on Friday and was trading at $6v756, bringing its decline this year to 53%.

Most other major virtual currencies also retreated, sending the market value of digital assets tracked by Coinmarketcap.com to a nearly two-month low of $298bn. At the height of the global crypto-mania in early January, they were worth about $830 billion.

Enthusiasm for virtual currencies has waned partly due to a string of cyber heists, including the nearly $500m theft from Japanese exchange Coincheck Inc. in late January. While the latest hacking target – a South Korean venue called Coinrail – is much smaller, the news triggered knee-jerk selling, according to Stephen Innes, head of Asia Pacific trading at Oanda in Singapore.

“This is ‘If it can happen to A, it can happen to B and it can happen to C,’ then people panic because someone is selling,” Innes said.

A cryptocurrency slump

The slump may have been exacerbated by low market liquidity during the weekend, Innes added.

“The markets are so thinly traded, primarily by retail accounts, that these guys can get really scared out of positions,” he said. “It actually doesn’t take a lot of money to move the market significantly.”

Coinrail said in a statement on its website that some of the exchange’s digital currency appears to have been stolen by hackers, but it didn’t disclose how much. The venue added that 70% of the cryptocurrencies it holds are being kept safely in a cold wallet, which isn’t connected to the Internet and is less vulnerable to theft. Two-thirds of the stolen assets – which the exchange identified as NPXS, NPER and ATX coins – have been frozen or collected, while the remaining one third is being examined by investigators, other exchanges and cryptocurrency development companies, it said.

Coinrail trades more than 50 cryptocurrencies and was among the world’s Top 100 most active venues, with a 24-hour volume of about $2.65 million, according to data compiled by Coinmarketcap.com before news of the hack. Read about Trusted Brokerz and start capitalizing on Bitcoin to make virtual currencies part of your portfolio.

The Korean National Police Agency is investigating the case, an official said by phone.

In China, the Communist Party-run People’s Daily reported on Friday that the country will continue to crack down on illegal fundraising and risks linked to Internet finance, quoting central bank officials. The nation’s cleanup of initial coin offerings and Bitcoin exchanges has almost been completed, the newspaper said, citing Sun Hui, an official at the Shanghai branch of the central bank.

“Whois lookup” information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75-million database records held there. More than 60-million of those records consisted of the personal data of South African citizens.

Contacted by TechCentral for comment on Wednesday morning, Jigsaw management requested time to investigate the issue, and on Wednesday evening neither the company nor its legal counsel was contactable.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agentsWhen the news of the huge trove of personal information was shared by information security researcher Troy Hunt on Tuesday, the initial response was that there had been a hack. But it seems that hacking wasn’t required: the information was easily available on an open Web server. Direct access to the server, had at the
time of writing late on Wednesday afternoon, been secured.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.

The company initially fingered for the breach in some online articles, Dracore Data Sciences, is innocent. Initial circumstantial evidence linking the company based on some common headers on one of their own websites seems to be coincidence. Although Dracore may have been a data “enricher” for the company that leaked the data, it doesn’t seem likely that they had anything to do with the leak, and Dracore is adamant that it’s not involved.

Popi Act
Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10-million in fines and negligent company officers jailed for up to 10 years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.

Chris Basson, from Eighty20 business consultancy, put it like this: “Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.”

The credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere.

Basson argued that one should look beyond the ineptitude of the people who made the information so easily available, and rather ask the question: “Who was the idiot that gave them access to the data in the first place?”
The security missteps are egregious and, according to infosec consultancy SensePost’s Willem Mouton, showed an “overall lack of security awareness”.

“From a development perspective, the websites appear to be vulnerable to SQL injection… [and]… in terms of deployment, having database interfaces open to the Internet provide entry points.”

He pointed out that while examining the site, SensePost noticed that “the credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere”.
These leaked credentials allowed for full administrator privileges in the database, and in fact allowed full administrator access to all the databases on the server. To make matters worse, the personal data was contained in a single database in clear text.

Mouton also noted that it was concerning that nobody noticed the large volume of data leaving the network. “Multiple people pulled a 30GB file, and nobody noticed.”

He said verbose error messages and indexable Web directories were a boon to anyone who wished to hack the server.
Unfortunately, for South Africans whose personal information is now widely available, there isn’t much that they can do other than increase their vigilance for any attempts at identity theft.

A leading offshore law firm with clients including the super-rich and international corporations has revealed it suffered a “data security incident” that may result in customers’ private information being leaked.

Bermuda-based Appleby, which has offices in a number of British overseas territories, said some of its data had been “compromised” in the 2016 cyber incident.

The firm issued a statement after it was contacted by a group of investigative journalists probing allegations concerning its “business and the business conducted by some of our clients”.

Without specifying, Appleby said it had taken the allegations “extremely seriously” and after investigating the claims itself concluded “there is no evidence of any wrongdoing, either on the part of ourselves or our clients”.

According to a report by the Daily Telegraph, a number of media organisations are preparing to release details of the leaks over the coming days.

Appleby said: “We are an offshore law firm who advises clients on legitimate and lawful ways to conduct their business.

“We do not tolerate illegal behaviour. It is true that we are not infallible. Where we find that mistakes have happened, we act quickly to put things right and we make the necessary notifications to the relevant authorities.

“We are committed to protecting our clients’ data and we have reviewed our cyber security and data access arrangements following a data security incident last year which involved some of our data being compromised.

“These arrangements were reviewed and tested by a leading IT forensics team and we are confident that our data integrity is secure.”

The firm said it was “disappointed” that the media may choose to publish material “obtained illegally” and warned that it may result in “exposing innocent parties to data protection breaches”.

According to Appleby’s website, its experts advise global public and private companies, financial institutions, and “high net worth” individuals.

A profile on Chambers and Partners says its clients include financial institutions, FTSE 100 and Fortune 500 companies.

Through offices in Bermuda, the British Virgin Islands, the Cayman Islands, Guernsey, the Isle of Man, Jersey, Mauritius and the Seychelles, it helps clients “achieve practical solutions, whether in a single location or across multiple jurisdictions”.

The company, which was named offshore firm of the year by Legal 500 UK in 2015, also has a presence in Hong Kong and Shanghai.

The cyber security incident has emerged around a year after a trove of private financial information relating to hundreds of individuals, including celebrities and high-profile public figures, known as the Panama Papers was stolen from legal firm Mossack Fonseca.

Microsoft’s internal database that it uses to track bugs in its software was reportedly hacked in 2013.

A highly sophisticated hacking group was behind the alleged breach, according to Reuters, which is the second known breach of this kind of corporate database.

Five former employees told the publication about the hack in separate interviews, though Reuters said Microsoft did not disclose the depth of the attack in 2013.

The database in question contained information on critical and unfixed vulnerabilities found in not only the Windows operating system but also some of the most widely used worldwide software, the publication reported.

Microsoft learned of the breach in early 2013 after a hacking group launched a series of attacks against high profile tech companies including Apple, Twitter and Facebook.

The group exploited a flaw in the Java programming language to access employees’ Apple computers, before moving into the company’s network, Reuters said.

Microsoft released a short statement following the attack on 22 February 2013 that said: “As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.

“We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.”

In an email responding to questions from Reuters, Microsoft said: “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”

A Microsoft spokesperson told IT Pro: “In February 2013 we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen that could be used in subsequent attacks.”

This contradicts Reuters’ report, whose sources said that although the bugs in the database had been exploited in hacking attacks, the attackers could have found the information elsewhere.

Reuters said Microsoft didn’t disclose the breach because of this, and because many patches had already been released to customers.

“They absolutely discovered that bugs had been taken,” one source said. “Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”

Following the breach, Microsoft improved its security by separating the database from the corporate network and including two authentications to access the information, Reuters reported.

Mozilla had a similar attack in 2015 when an attacker accessed a database which included information on 10 unpatched flaws. One of the flaws was then used to attack Firefox users, which Mozilla told the public about at the time, telling customers to take action.

Mozilla CBO and CLO Denelle Dixon said the foundation released the information about what it knew in 2015 “not only [to] inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission.”

Reuters wrote that the hacking group has been called Morpho, Butterfly and Wild Neutron but security researchers say it is a proficient and mysterious group and that they cannot determine if it is backed by a state government.

Equifax revelead that a file containing 700,000 UK records was accessed during a data breach in May, giving attackers access to names and contact details. Of that figure, 700,000 accounts had partial credit information and email addresses stolen.